- Checkmarx Documentation
- Checkmarx One
- Checkmarx One Integrations
- CI/CD Integrations
- Sonar Results for Checkmarx One (Example for GitHub Action)
Sonar Results for Checkmarx One (Example for GitHub Action)
Introduction
You can export scan results directly to Sonar, enabling you to view the Checkmarx One results in your SonarQube or SonarCloud console.
This is done by adding the report flag --report-format sonar
in the additional params of the CLI scan command. This generates a JSON that is formatted according to the Sonar specifications.
This capability is available for all CI/CD plugins and CLI integrations. The examples below show the integration for GitHub Action, but they can be generalized for other platforms.
Prerequisites
You have a Checkmarx One account and you have set up the appropriate Checkmarx One plugin or CLI integration in your CI/CD platform.
You have a SonarQube installation or access to a SonarCloud account.
Exporting Results to Sonar
Use the Checkmarx One plugin or CLI tool to create a Checkmarx One scan in your pipeline.
Add the report flag
--report-format sonar
to the scan create command. For plugins, this argument is added in the Additional params section.Use the Sonar plugin to create a Sonar step in your pipeline.
Notice
There is an alternative method that uses a Maven command to send the results to Sonar, see the example below.
In the sonar arguments, add the following argument to point to the report file generated by Checkmarx One:
-Dsonar.externalIssuesReportPaths=./cx_result_sonar.json
Usage Example - GitHub Action
The following example shows how you can create a GitHub Action to run a Checkmarx One scan and export the results to Sonar.
Prerequisites
The following example assumes that you have:
Created the required secrets for use with the Checkmarx One GitHub Action, see Checkmarx One GitHub Actions Initial Setup, and have installed and configured the Checkmarx One Github Action Configuring a GitHub Action with a Checkmarx One Workflow.
Created a Sonar project and configured the Sonar GitHub Action, including creating the required secrets and adding the project to the root file.
Notice
The prerequisites differ slightly if you are using the alternative method, see example below.
GitHub Action Example
The following is an example of the GitHub Action for running a Checkmarx One scan and exporting the results to Sonar.
name: Build on: push: branches: - main jobs: cx-scan: name: Run Checkmarx One cli runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Checkmarx One CLI Action uses: checkmarx/ast-github-action@main with: base_uri: ${{ secrets.BASE_URI }} cx_tenant: ${{ secrets.TENANT }} cx_client_id: ${{ secrets.CLIENT_ID }} cx_client_secret: ${{ secrets.SECRET }} additional_params: --report-format sonar - name: Sonar CLI Action uses: sonarsource/sonarqube-scan-action@master env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: args: > -Dsonar.externalIssuesReportPaths=./cx_result_sonar.json
Alternative Method - Using Maven command
The following example shows an alternative method that uses a Maven command instead of using the Sonar GitHub Action.
name: Security Scan on: push: branches: - main jobs: scan: runs-on: ubuntu-latest if: ${{ true }} steps: - uses: actions/checkout@v2 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* - name: Set up JDK 11 uses: actions/setup-java@v1 with: java-version: 11.0.7 - name: Cache local Maven repository uses: actions/cache@v2 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} restore-keys: | ${{ runner.os }}-maven- - name: Cache SonarCloud packages uses: actions/cache@v2 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - name: Checkmarx One CLI Action uses: checkmarx/ast-github-action@main with: base_uri: <AST Base URI> cx_tenant: ${{ secrets.CX_TENANT }} cx_client_id: ${{ secrets.CX_CLIENT_ID }} cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} additional_params: --report-format sonar - name: Sonar analyze run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=<sonar_project_key> -Dsonar.organization=<sonar_organization> -Dsonar.externalIssuesReportPaths=./cx_result_sonar.json env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} GITHUB_TOKEN: ${{ github.token }}
Notice
Check for updates to the code sample in GitHub.